Merge remote-tracking branch 'ni/master'

This commit is contained in:
lassulus 2019-04-28 14:18:00 +02:00
commit 915e4b8437
15 changed files with 325 additions and 87 deletions

View File

@ -49,6 +49,7 @@ let
./rtorrent.nix ./rtorrent.nix
./secret.nix ./secret.nix
./setuid.nix ./setuid.nix
./shadow.nix
./syncthing.nix ./syncthing.nix
./tinc.nix ./tinc.nix
./tinc_graphs.nix ./tinc_graphs.nix

View File

@ -88,7 +88,7 @@ with import <stockholm/lib>;
fi fi
done < "$paths" done < "$paths"
''; '';
PrivateTemp = true; PrivateTmp = true;
Restart = "always"; Restart = "always";
RestartSec = 10; RestartSec = 10;
UMask = plan.umask; UMask = plan.umask;

79
krebs/3modules/shadow.nix Normal file
View File

@ -0,0 +1,79 @@
with import <stockholm/lib>;
{ config, pkgs, ... }: let
cfg = config.krebs.shadow;
mergeShadowsJq = pkgs.writeJq "merge-shadows.jq" ''
def fields_3_to_9: ["1", "", "", "", "", "", ""];
def read_value:
split(":") |
if length == 9 then
if .[2:] == fields_3_to_9 then
.
else
error("unrecognized field contents")
end
elif length == 2 then
if .[1] | test("^\\$6\\$") then
. + fields_3_to_9
else
error("unrecognized hashed password")
end
else
error("unexpected field count: expected 9 or 2, got \(length)")
end;
def write_value:
join(":");
split("\n") |
map(select(length > 0) | read_value) |
reverse |
unique_by(.[0]) |
map(write_value) |
sort |
join("\n")
'';
in {
options.krebs.shadow = {
enable = mkEnableOption "krebs.shadow" // {
default = cfg.overridesFile != null;
};
overridesFile = mkOption {
apply = x: if typeOf x == "path" then toString x else x;
default = null;
description = ''
Path to a file containing additional shadow entries, used for adding
encrypted passwords which should not be placed into the Nix store.
The overrides file may contain either regular shadow(5) entries like:
<code>&lt;login-name&gt;:&lt;hashed-password&gt;:1::::::</code>
Or shortened entries only containing login name and password like:
<code>&lt;login-name&gt;:&lt;hashed-password&gt</code>
'';
type = types.nullOr (types.either types.path types.absolute-pathname);
};
};
config = let
in mkIf cfg.enable {
system.activationScripts.users-tv = stringAfter [ "users" ] /* sh */ ''
(
set -efu
umask 77
${pkgs.jq}/bin/jq -Rrs -f ${mergeShadowsJq} \
/etc/shadow ${cfg.overridesFile} > /etc/shadow~
${pkgs.coreutils}/bin/mv /etc/shadow /etc/shadow-
${pkgs.coreutils}/bin/mv /etc/shadow~ /etc/shadow
)
'';
};
}

View File

@ -4,11 +4,11 @@
}: }:
mkDerivation { mkDerivation {
pname = "flameshot-once"; pname = "flameshot-once";
version = "1.1.0"; version = "1.2.0";
src = fetchgit { src = fetchgit {
url = "https://cgit.krebsco.de/flameshot-once"; url = "https://cgit.krebsco.de/flameshot-once";
sha256 = "158ha1yyj3p3mdjjga62j91ml83nhrsg34xbg3dir5cb399j8pxx"; sha256 = "01c11dk8ss37awfn9xqsgx668dcrf4kvzfxlq7ycnqsnpbjjvm0a";
rev = "9d688b6ffad14912bd1afe42555747cb3d213d95"; rev = "cebaefa37095e74ad2253c4e2f9d9ab390f88737";
fetchSubmodules = true; fetchSubmodules = true;
}; };
isLibrary = false; isLibrary = false;

View File

@ -29,7 +29,7 @@ let
eval = evalModules { eval = evalModules {
modules = singleton { modules = singleton {
_file = toString ./config.nix; _file = toString ./profile.nix;
imports = singleton config; imports = singleton config;
options = { options = {
buttons = mkOption { buttons = mkOption {
@ -77,6 +77,14 @@ let
default = false; default = false;
type = types.bool; type = types.bool;
}; };
timeout = mkOption {
default = 100;
description = ''
Maximum time in milliseconds allowed for the flameshot daemon to
react.
'';
type = types.positive;
};
}; };
}; };
}; };
@ -125,5 +133,6 @@ in
pkgs.writeDash "flameshot.profile" '' pkgs.writeDash "flameshot.profile" ''
export FLAMESHOT_CAPTURE_PATH=${cfg.savePath} export FLAMESHOT_CAPTURE_PATH=${cfg.savePath}
export FLAMESHOT_ONCE_TIMEOUT=${toString cfg.timeout}
export XDG_CONFIG_HOME=${XDG_CONFIG_HOME} export XDG_CONFIG_HOME=${XDG_CONFIG_HOME}
'' ''

View File

@ -17,6 +17,7 @@ with import <stockholm/lib>;
./bash ./bash
./htop.nix ./htop.nix
./nginx ./nginx
./pki
./ssh.nix ./ssh.nix
./sshd.nix ./sshd.nix
./vim.nix ./vim.nix
@ -90,15 +91,6 @@ with import <stockholm/lib>;
}; };
} }
{
environment.variables =
flip genAttrs (_: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt") [
"CURL_CA_BUNDLE"
"GIT_SSL_CAINFO"
"SSL_CERT_FILE"
];
}
{ {
services.cron.enable = false; services.cron.enable = false;
services.nscd.enable = false; services.nscd.enable = false;

View File

@ -8,5 +8,6 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
manpages manpages
posix_man_pages posix_man_pages
xorg.xorgdocs
]; ];
} }

View File

@ -0,0 +1,31 @@
tv Root CA
-----BEGIN CERTIFICATE-----
MIIFGzCCAwOgAwIBAgIUbLFkDA1OgKbej/FQiJZ4gpGPg/4wDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAwwKdHYgUm9vdCBDQTAeFw0xOTA0MjEwNzI1MTdaFw0yOTA0
MTgwNzI1MTdaMBUxEzARBgNVBAMMCnR2IFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDEVpZo1PLayK2AULwNtRY/2RIs/h+Uz1k/I7AY5o7H
HTD6pxNH3DZS82Y89nAHDVEnotK26TW6N1O2fBHUxH2GXVD+MaA/D9ngbNTJa7DW
2EThezOyesAbXk7dkoHh4Bouj5L7Ronka5+IREFmb3mHmcXLuR/sot9Pwr9A7Lwm
55Avv+VwMFnqVMXiCYQsDL7Mxf7Vm79+kXShpfDhNmHhyZc/xPjVk7lttSEp0LCq
hhJjte3xDGbk7OThTSxoqP+K4Ek7NGatCcm4AUZlDl1kLN2QKudYqj0VRQpfE+4Q
jMAAtttc/10MV0e08pRK0FvJsDsi70YZrHnDP6hIBrRNjC8iB/8rz2pjnYzgriUt
HHEDr26234VB5Zqhsi8pmXA16FVkoKlucADXXKEcR/3VreTvZLdSsP3OrDdSCwhi
H2W/7tshDPp+I9Q9fGNixry7PODbud1h/wLsq3Geg/U6VkDdl7uDNMB/O7LvlFaC
7jkHv/xFLqV1Xx9+yFMdJTKLf9jnIIjeINfV4VcJZDrtgGpnC6cYD5DNLA4j7Mny
EnBV9IRhmKiZLvUZP62dPhqIfSSPNxXV2+rT5ZfaXCuVe79R5npgJzF7/qslvnZ6
0mjZfQdJiXY+/oT9zPUxTroFx7Qtda15aIVwXR+1cMRY/Hg/uBQyp7yWsvwhPYwH
awIDAQABo2MwYTAdBgNVHQ4EFgQUWYjGpR7J/UqggxQV87hBQ8ZT0qkwHwYDVR0j
BBgwFoAUWYjGpR7J/UqggxQV87hBQ8ZT0qkwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAA++eAA7KLEd4n05n8w95sJ7
cxqQSkVxV3ASnEUQRwVGo3CqEKcNufbCTG7KKGQFUi2Xd3/SWgnEiSZZWo06azbV
vlquG+9ilwnrnqfjlbUEjLMHDzukrEeIiRuFY7gZv6S2o4WkW/M9IPkP34+PRjip
AJ8kFcy7wLPaeH7OagslAVUcf68lMm+8W4U1g0HZaY2zXFgdRrIO1dXKlJ22Wh4X
fcblHjkASAGi+BK+xRJ9G7s3sie2wPyk+WKKv0Z+WheKf+L+TPBg2sJ+d25gW+gG
XNJSQOzCqSfHrCtcW1xkGgifog28/ymN03ggn8oMBUebOp+ayLkbPQDaj6te3y1v
YE0cfkzQ0T6sSzPzoOrwBEuSX8cLWTpzO2Zgqbf36UtHjgxi58vY46p7MjAInxAf
j+k67rF7qWH38drg4nfGjNgiEdeJw9dtDFdmso+ZiWipUyGF4VYh+Q6JnXDMF0+A
wXcYWa7ckXvVOLVpHJfrLDYTXznGnk2u4ToVNEk1j/klMRn96lxfFg04iv8fz8m6
/Y8g0G1uIT5Mq9l68oZUoEkUHZabPNhYOiYtg4t5v/T3AIV8nm2A5jZYj0am26xT
iqF/tqL3alWXs9OHP7FNdrVWtwO8vcspYcd4mOHdAC/dmhq+77BowR5Lldx9T+mR
QT8jW9PXL0IH0wKMBXxf
-----END CERTIFICATE-----

View File

@ -0,0 +1,68 @@
with import <stockholm/lib>;
{ config, pkgs, ... }: let
certFile = config.environment.etc."ssl/certs/ca-certificates.crt".source;
in {
environment.etc."pki/nssdb".source =
pkgs.runCommand "system-wide-nssdb" {
inherit certFile;
buildInputs = [
pkgs.jq
pkgs.nssTools
];
parseInfoScript = /* jq */ ''
${toJSON certFile} as $certFile |
split("\t-----END CERTIFICATE-----\n")[] |
select(test("\t-----BEGIN CERTIFICATE-----\n")) |
. + "\t-----END CERTIFICATE-----\n" |
sub("^([0-9]+\t\n)*";"") |
(match("^([0-9]+)\t").captures[0].string | tonumber) as $lineNumber |
gsub("(?m)^[0-9]+\t";"") |
match("^([^\n]+)\n(.*)";"m").captures | map(.string) |
# Line numbers are added to the names to ensure uniqueness.
"\(.[0]) (\($certFile):\($lineNumber))" as $name |
.[1] as $cert |
{ $name, $cert }
'';
passAsFile = [
"parseInfoScript"
];
} /* sh */ ''
mkdir nssdb
nl -ba -w1 "$certFile" |
jq -ceRs -f "$parseInfoScriptPath" > certinfo.ndjson
exec < certinfo.ndjson
while read -r certinfo; do
name=$(printf %s "$certinfo" | jq -er .name)
cert=$(printf %s "$certinfo" | jq -er .cert)
printf %s "$cert" | certutil -A -d nssdb -n "$name" -t C,C,C
done
mv nssdb "$out"
'';
environment.variables = flip genAttrs (_: toString certFile) [
"CURL_CA_BUNDLE"
"GIT_SSL_CAINFO"
"SSL_CERT_FILE"
];
security.pki.certificateFiles =
mapAttrsToList
(name: const (./certs + "/${name}"))
(filterAttrs (const (eq "regular"))
(readDir ./certs));
}

View File

@ -1,58 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
pkgs.writeText "Xresources" /* xdefaults */ ''
URxvt*cutchars: "\\`\"'&()*,;<=>?@[]^{|}"
URxvt*eightBitInput: false
URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
URxvt*scrollBar: false
URxvt*background: #050505
URxvt*foreground: #d0d7d0
URxvt*cursorColor: #f042b0
URxvt*cursorColor2: #f0b000
URxvt*cursorBlink: off
URxvt*jumpScroll: true
URxvt*allowSendEvents: false
URxvt*charClass: 33:48,37:48,45-47:48,64:48,38:48,61:48,63:48
URxvt*cutNewline: False
URxvt*cutToBeginningOfLine: False
URxvt*color0: #232342
URxvt*color3: #c07000
URxvt*color4: #4040c0
URxvt*color7: #c0c0c0
URxvt*color8: #707070
URxvt*color9: #ff6060
URxvt*color10: #70ff70
URxvt*color11: #ffff70
URxvt*color12: #7070ff
URxvt*color13: #ff50ff
URxvt*color14: #70ffff
URxvt*color15: #ffffff
URxvt*iso14755: False
URxvt*urgentOnBell: True
URxvt*visualBell: True
! ref https://github.com/muennich/urxvt-perls
URxvt*perl-ext: default,url-select
URxvt*keysym.M-u: perl:url-select:select_next
URxvt*url-select.launcher: /etc/per-user/${config.krebs.build.user.name}/bin/ff -new-tab
URxvt*url-select.underline: true
URxvt*colorUL: #4682B4
URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl
URxvt*saveLines: 10000
root-urxvt*background: #230000
root-urxvt*foreground: #e0c0c0
root-urxvt*BorderColor: #400000
root-urxvt*color0: #800000
fzmenu-urxvt*background: rgb:42/23/42
fzmenu-urxvt*externalBorder: 1
fzmenu-urxvt*geometry: 70x9
fzmenu-urxvt*internalBorder: 1
''

View File

@ -9,12 +9,16 @@ let
}; };
in { in {
imports = [
./sxiv.nix
./urxvt.nix
];
environment.systemPackages = [ environment.systemPackages = [
pkgs.ff pkgs.ff
pkgs.font-size pkgs.font-size
pkgs.gitAndTools.qgit pkgs.gitAndTools.qgit
pkgs.mpv pkgs.mpv
pkgs.sxiv
pkgs.xdotool pkgs.xdotool
pkgs.xsel pkgs.xsel
pkgs.zathura pkgs.zathura
@ -73,7 +77,6 @@ in {
${pkgs.xorg.xhost}/bin/xhost -LOCAL: ${pkgs.xorg.xhost}/bin/xhost -LOCAL:
} & } &
${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} & ${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
${pkgs.xorg.xrdb}/bin/xrdb ${import ./Xresources.nix args} &
${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' & ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
wait wait
''; '';
@ -147,19 +150,6 @@ in {
}; };
}; };
systemd.services.urxvtd = {
wantedBy = [ "graphical.target" ];
restartIfChanged = false;
serviceConfig = {
SyslogIdentifier = "urxvtd";
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
Restart = "always";
RestartSec = "2s";
StartLimitBurst = 0;
User = cfg.user.name;
};
};
tv.slock = { tv.slock = {
enable = true; enable = true;
user = cfg.user; user = cfg.user;

View File

@ -0,0 +1,12 @@
with import <stockholm/lib>;
{ config, pkgs, ... }: let
cfg.user = config.krebs.build.user;
in {
tv.Xresources = {
"Sxiv.foreground" = "#232323";
"Sxiv.background" = "#424242";
};
users.users.${cfg.user.name}.packages = [
pkgs.sxiv
];
}

View File

@ -0,0 +1,73 @@
with import <stockholm/lib>;
{ config, pkgs, ... }: let
cfg.user = config.krebs.build.user;
in {
systemd.services.urxvtd = {
wantedBy = [ "graphical.target" ];
restartIfChanged = false;
serviceConfig = {
SyslogIdentifier = "urxvtd";
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
Restart = "always";
RestartSec = "2s";
StartLimitBurst = 0;
User = cfg.user.name;
};
};
tv.Xresources = {
"URxvt*cutchars" = ''"\\`\"'&()*,;<=>?@[]^{|}"'';
"URxvt*eightBitInput" = "false";
"URxvt*font" = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
"URxvt*boldFont" = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
"URxvt*scrollBar" = "false";
"URxvt*background" = "#050505";
"URxvt*foreground" = "#d0d7d0";
"URxvt*cursorColor" = "#f042b0";
"URxvt*cursorColor2" = "#f0b000";
"URxvt*cursorBlink" = "off";
"URxvt*jumpScroll" = "true";
"URxvt*allowSendEvents" = "false";
"URxvt*charClass" = "33:48,37-38:48,45-47:48,61:48,63-64:48";
"URxvt*cutNewline" = "False";
"URxvt*cutToBeginningOfLine" = "False";
"URxvt*color0" = "#232342";
"URxvt*color3" = "#c07000";
"URxvt*color4" = "#4040c0";
"URxvt*color7" = "#c0c0c0";
"URxvt*color8" = "#707070";
"URxvt*color9" = "#ff6060";
"URxvt*color10" = "#70ff70";
"URxvt*color11" = "#ffff70";
"URxvt*color12" = "#7070ff";
"URxvt*color13" = "#ff50ff";
"URxvt*color14" = "#70ffff";
"URxvt*color15" = "#ffffff";
"URxvt*iso14755" = "False";
"URxvt*urgentOnBell" = "True";
"URxvt*visualBell" = "True";
# ref https://github.com/muennich/urxvt-perls
"URxvt*perl-ext" = "default,url-select";
"URxvt*keysym.M-u" = "perl:url-select:select_next";
"URxvt*url-select.launcher" =
"/etc/profiles/per-user/${cfg.user.name}/bin/ff -new-tab";
"URxvt*url-select.underline" = "true";
"URxvt*colorUL" = "#4682B4";
"URxvt.perl-lib" = "${pkgs.urxvt_perls}/lib/urxvt/perl";
"URxvt*saveLines" = "10000";
"URxvt*modifier" = "mod1";
"root-urxvt*background" = "#230000";
"root-urxvt*foreground" = "#e0c0c0";
"root-urxvt*BorderColor" = "#400000";
"root-urxvt*color0" = "#800000";
"fzmenu-urxvt*background" = "rgb:42/23/42";
"fzmenu-urxvt*externalBorder" = "1";
"fzmenu-urxvt*geometry" = "70x9";
"fzmenu-urxvt*internalBorder" = "1";
};
}

View File

@ -0,0 +1,39 @@
with import <stockholm/lib>;
{ config, pkgs, ... }: let
cfg = {
enable = config.tv.Xresources != {};
user = config.krebs.build.user;
};
in {
options.tv.Xresources = mkOption {
default = {};
type = types.attrsOf types.str;
};
config = {
nixpkgs.overlays = singleton (self: super: {
tv = super.tv or {} // {
Xresources =
self.writeText "Xresources"
(concatStrings (mapAttrsToList (name: value: /* xdefaults */ ''
${name}: ${value}
'') config.tv.Xresources));
};
});
systemd.services.${if cfg.enable then "Xresources" else null} = {
wantedBy = [ "graphical.target" ];
after = [ "xserver.service" ];
requires = [ "xserver.service" ];
environment = {
DISPLAY = ":${toString config.services.xserver.display}";
};
serviceConfig = {
ExecStart = "${pkgs.xorg.xrdb}/bin/xrdb ${pkgs.tv.Xresources}";
RemainAfterExit = true;
SyslogIdentifier = "Xresources";
Type = "oneshot";
User = cfg.user.name;
WorkingDirectory = cfg.user.home;
};
};
};
}

View File

@ -7,5 +7,6 @@
./iptables.nix ./iptables.nix
./slock.nix ./slock.nix
./x0vncserver.nix ./x0vncserver.nix
./Xresources.nix
]; ];
} }